A distributed IDS architecture model for Smart Home systems

The conventional security countermeasures like user authentication, data encryption, and security network tools (firewalls, Network Address Translations/NATs) act as first line of defense against external threats. The problem arises when an unauthorized user compromises these countermeasures and is able to use smart devices connected to HAN in unnoticed way. Since many of HAN connected devices use radio transmission, the potential attacker may easily harm or misuse the smart objects and that way influence Smart Home systems (e.g., heating, monitoring, etc.). Therefore, in addition to traditional protection methods, there should be used also security tools which provide protection against both external and internal attacks. One of the potential solution known mainly from enterprise IT systems is an IDS. It aims to detect the intrusions (or anomalies) in real time by protecting nodes from inside and outside threats.

Basically, there are two data sources for IDS—monitored network traffic and data describing events on individual machines connected to the network, including data derived from:Common criteria for classification of IDS solutions include the data collecting mechanisms to enable intrusion analysis. In that case we distinguish between: host-based (HIDS) and network-based (NIDS) intrusion detection systems. In the first case, the raw data collection is based on system/application logs. This category of IDS is also known as Log-based Intrusion Detection Systems (i.e., OSSEC.²) The second approach assumes that network traffic is treated as the source of events which may trigger intrusion detection processes (i.e., Snort,³ Suricata⁴). For this reason, NIDS is designed to monitor all traffic between network entities and capture suspicious events.

The method used to detect attack by IDS system is an another criteria for classification. Essentially, there are three basic methods used for an inspection: (i) based on signature detection which attempts to detect abnormal behavior matching the observed behavior against pre-defined attack patterns, (ii) anomaly based, which identifies malicious activities by analyzing the events (firstly, it defines the normal behavior of the network, then, if any activity differs from normal behavior, it is marked as an intrusion), (iii) hybrid IDS, which is a combination of both anomaly-based and signature-based approaches. Moreover, this classification is extended in [7] to the case of an cross layer IDS (iv), which has the capability to monitor and detect intrusions at multiple OSI layers by analysis of exchanged data across different layers.

Further classification criteria are related to the IDS architecture (e.g., monolithic, hierarchical, distributed, agent-based), the area where these systems are applied (e.g., enterprise networks, Industrial Control System (ICS), wireless networks, etc.) and possible reaction (passive, active).

The broadcast nature of radio communication within the HAN makes is susceptible to various security threats typical for Wireless Sensor Networks (WSNs) [8]. For this reason, further analysis of HAN suitable IDS is focused on solutions adopted for WSNs. In this context, efforts of researchers concentrate mainly on limitations of smart devices which make the implementation of full functionality of IDS difficult. In particular, theoretical work and simulations in this area are carried out to: (i) distribute attack detection tasks between smart devices, (ii) decrease computational complexity of detection algorithms, and (iii) limit the set of attacks which are detectable by the IDSs based on smart devices.

In the first research area we have given particular attention to separate less computational complex tasks performed by constraint nodes (i.e., traffic/events monitoring and reporting) from more complex (i.e., analysis and attack detection) and performed by advanced devices. For this purpose IDS might operate in cooperative cluster mode [9]. It means that every node monitors its neighbors and surrounding nodes activities and operation; in case of any malicious activity detection, the cluster head is informed.

In paper [10] authors have proposed solution based on mobile agents (software modules) which are responsible for anomaly detection in wireless Smart Home sensor networks. This approach assumes that the mobile agent may be installed on each sensor node using a middleware. Middleware used for launching the mobile agent, can also be used for variety of other tasks. The authors mention here mainly the maintenance tasks such as: updating node’s firmware, network management, checking, status of the node, etc. According to the authors, anomalies are detected by IDS modules located on so called Cluster Heads (CHs) which play a role of data aggregators and data forwarder to base station in WSN. For that reason, the CHs should provide sufficient processing power for all the assumed tasks. The Cluster Head performs analysis of the data received from sensors/actuators. The anomalous reading triggers anomaly agent in CH which checks if the suspicious node has been compromised. It is accomplished using the mobile agent launched on victim’s node.

According to the authors, this approach eliminates the need of installing IDS (anomaly detection) software on each sensor node. This results in moving the responsibility of tracking and alerting onto nodes which have more powerful resources. On the other hand, these nodes might not be able to receive anomalous readings and consequently they will not launch the mobile agent.

A similar IDS approach based on mobile agent concept was proposed in [11]. However, unlike the concept presented in [10], where the mobile agent tasks were focused mainly on data collection and reporting to the WSN cluster heads, this solution provides specific task-oriented mobile agents. Namely, it defines following different agents responsible for performing strictly assigned tasks: Collector Agent, Misuse Detection Agent, Anomaly Detection Agent, and Alert Agent. Two of them play the crucial role as IDS components—the Misuse Detection Agent, which detects known attacks in network on the traffic data received from the Collector Agent, and the Anomaly Detection Agent which is used to detect the attacks on basis of anomaly detection algorithm. In case of an attack detection, the both detection agents trigger the Alert Agent which propagates this information.

The second research area concentrates mainly on adjusting the IDS algorithms to constrained nodes properties. These works were published in several papers. The exemplary research results were presented in [12], where authors described modifications of the anomaly based IDS exploiting genetic k-means algorithm. Authors have improved algorithm efficiency and increased attack detection rate compared to basic algorithm. Also results described in [13] present algorithms, optimized for cluster based WSNs. In that case, authors adopted machine learning approach based on selected supervised learning model—support vector machine (SVM). It was exploited for data analysis and misuse detection in a distributed environment. The learning algorithm is used to drive SVM to distinguish between normal and malicious patterns. It is designed to operate in cluster based WSNs, where all nodes monitor their neighbors.

The third research area shows that the majority of the existing intrusion detection solutions are capable of handling only a few security attacks. Particularly, the signature-based IDS solutions make use of this assumption, since they consume more resources for computations as compared to anomaly-based IDS. In this context, authors of [14] enumerate list of security threats typical for IoT and specifically WSNs, and among the following: Sinkhole Attack, Wormhole Attack: Selective Forwarding Attack, Sybil Attack, Hello Flood Attack, and the Denial of Service (DOS) Attack. Following this list, several IDS examples are described in the literature. Specifically, authors of [15] proposed an IDS detecting black hole attacks in WSNs. In this proposal, sensor node and base station are exchanging control packets containing the node id and number of packets sent to the cluster head. This information is propagated to the base station which additionally monitors all passing traffic. According to the authors, this approach decreases energy consumption of nodes. Another proposed IDS concept, described in [16], aims at detecting Sybil node attack in WSN. In their work, authors proposed two stage method for solving this problem. Namely, the first stage is that cluster head polls slave nodes for their identities and position data. Received data are stored in the table maintained by the cluster head. In the second stage, all authorized nodes reply to the cluster head with their identities and current position data including the Sybil node. Finally, the cluster head matches received and stored data to discover the Sybil node. The authors claimed that proposed system improves the energy efficiency and it detects the Sybil node with reasonable accuracy. In this context, it is worth to note that energy efficiency and securing data transmission is a new challenging area in IoT applications. Several research efforts have been published in [17, 18]. In a hybrid approach joining signature- and anomaly-based methods, a good example is a conceptual IDS called SVELTE described in details in [19]. Authors decided that the monitoring part (which is computationally lightweight) is to be implemented into resource-constrained nodes. The resource demanding functionality is placed onto the Border Router (BR) which is an edge node connecting 6LoWPAN network with the Internet (acts as a technology gateway). The basic IDS functionality of SVELTE aims to detect attacks targeted to the routing mechanisms, in particular spoofed or altered information, sinkhole, and selective forwarding attacks

As devices in IoT are resource-constrained and anomaly-based IDS requires computationally intensive operations, placement of IDS modules in a IoT network becomes a critical issue. In this context, SVELTE described in [19] follows this approach and proposes the lightweight monitoring functionality to be implemented into constrained nodes. More resource demanding IDS processes are performed by the Border Router (BR) of the 6LoWPAN network.

A generalized approach for separating the network monitoring part and the detection part is known as Cooperative Autonomous Attack Detection and was described in [20]. The proposed idea introduces a multi-hierarchy monitoring environment for capturing packets and performing flow statistics. It assumes that this functionality is spread through the network but it builds up one detection system that analyzes data monitored at different points of the network. Furthermore, an output of the detection system can become an input of other detection system by exporting aggregated monitoring data.

An similar approach was proposed in [21] however authors have emphasized that this solution has been adjusted to grid networks specificity. Smart Grid Distributed Intrusion Detection System (SGDIDS) is a hierarchical and distributed IDS dedicated for smart grids. It divides monitored network into three layers: HAN, Neighborhood Area Network (NAN), and Wide Area Network (WAN). Each of them includes dedicated nodes with Analysis modules (AM) responsible for packet flow analysis. These modules use classification techniques such as Support Vector Machines (SVM) and Artificial Immune System (AIS) to inspect network traffic to efficiently classify malicious events. According to the authors, achieved results suggest that the proposed approach employing both techniques can considerably improve detection effectiveness.

A cloud infrastructure operated by the service provider extensively uses virtualization techniques which enables much more flexible resource utilization and is able to serve much more users at that same time. Moreover, all components of the cloud infrastructure run through standard Internet protocols. These may encourage potential attackers to violate security of provided services. That is the reason, why extremely different challenges are faced by the service provider that secures its infrastructure. First, it has to take into account more network-oriented groups of threats, which are aimed at disrupting network operations. According to [22], cloud computing platforms might suffer from attacks such as IP spoofing, Address Resolution Protocol spoofing, Routing Information Protocol attack, DNS poisoning, Flooding, Denial of Service (DoS), Distributed Denial of Service (DDoS), etc. Service providers deploy different security solutions across their networks but in case of datacenters the general approach is similar to enterprise networks. It assumes that the first line of defense is built up from firewalls which prevent outside attacks. Providing the cloud based services requires also that service provider ensures the proper set of security countermeasures against insider attacks. For this purpose it deploys highly efficient IDSs and intrusion prevention systems (IPSs) which, in turn, are used to mitigate these attacks. Also the integration of IoT and cloud computing technologies raises new challenges for securing virtual assets and data coming from smart devices. Current trends in this area have been described in [23].

Generally, there are similar classification criteria to those used for HAN, but the scale of solutions must be proportional to the scale of data being processed and the traffic being handled. For this reason, research on cloud-oriented IDS solutions is focused mainly on efficiency and accuracy. For this purpose new methods are being developed to detect attacks, when analysis is based on huge amounts of data. In this context, authors of [24] extend the basic IDS classification by adding the: Artificial neural network based IDS (ANN), Fuzzy logic based IDS, Association rule based IDS, Support Vector Machine (SVM) based IDS, and Genetic algorithm (GA) based IDS. The above mentioned IDS types are strictly related to techniques used for high volume data analysis for attack detection purposes.

The high volume data analysis and packet traffic is a primary driver for distribution of data processing. It aims to accelerate computations on live traffic data. For that purpose, an distributed IDS model plays an important role. This concept assumes that Distributed IDS (DIDS) consists of several IDS instances and often of both types host- and network based IDSs distributed in the operator’s network. All of them are able to communicate with each other and with a dedicated server responsible for aggregated data analysis and decision making. Each IDS instance collects data (and performs initial analysis or aggregation, depending on the concept), and then sends it to the central server. The IDS instance that collects data is often known as a probe or sensor. An exemplary solution following this approach is described in [25], where authors proposed that IDS instances located in different regions of the provider’s network are able independently to detect attacks and “warn” proper network devices operating in other regions.

Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) [26] is an example of an another distributed network IDS that encompasses both monitoring and analysis components. This approach assumes that computation related to traffic analysis is spread throughout monitoring network nodes. Each node encompasses analysis component which uses both signature-based and Bayesian methods to detect intrusions. Completely another approach was adopted by originators of Dshield service.⁵ They proposed centralized community-based firewall log correlation system which accepts logs from NIDS and firewalls around the Internet, aggregates them and then reports summaries on detected intrusions and possible attack activity. Information about detected attacks is available to network administrators in order to give them the ability to reconfigure and tune their security infrastructure.

An another approach assumes that IDS instances run not only on dedicated machines but also use hypervisor layer (a hypervisor is a platform to run VMs) for monitoring and analyzing communications between VMs, between hypervisor and VM and within the hypervisor based virtual networks. The so-called VM introspection based IDS (VMI-IDS) architecture was described for the first time in [27]. It should be noted that attack detection might be performed by applications residing on VM or at the host machine layer—as a hypervisor-based IDS.

One of the main problems with implementation of IDS on hardware platforms with limited resources is that they are able only to detect known malware using signatures. To generate these signatures, the security experts have to identify attacks, analyze them, and then describe relevant behavior. The description has to be conscious and prepared using standardized methods so that it can be the basis for detection of the same attack next time. This reactive approach has limitations, since it does not work to detect new threats and new attacks that do not have assigned signatures yet. To ensure the access to the all currently known attack signatures it is convenient to run this process in the service provider-managed environment. The most suitable solution for that seems to be the cloud platform.

A characteristic feature of all constrained devices is a limited range of potential actions and usually continuous working. For that reason, machine learning methods seem to be the best way to use data related to the operation of these devices. This form of artificial intelligence is much more reliable than a human and also is much better for scaling. In consequence, behavior monitoring of constrained devices may be the basis for anomaly-based IDS and signature-based IDS but limited to selected attacks.

The proposed solution meets expectations in following key areas of secure Smart Home: (i) fast preliminary analysis and processing of security related data obtained locally from the smart devices within the HAN, (ii) advanced data processing carried out by the service provider, and (iii) making use of the service provider’s knowledge on the security incidents across maintained network. This approach does not exclude deep offline analysis which may be performed by the team of security professionals.

The basic idea of the DIDS for Smart Home system assumes at least that the service provider has to have the ability to manage the HG for the monitoring and control of smart devices within the Smart Home ecosystem. This is possible if the service provider acts e.g., as an ISP which provides Internet access together with smart services to be installed at home. An alternative solutions assumes that HG administrator allows the user to install applications which can be accessed by the service provider and used for smart devices management. The DIDS for a Smart Home combines distributed monitoring and data aggregation with data analysis carried out in ISP’s cloud environment.

The presented approach assumes also that the service provider supports the Smart Home system and maintains the Smart Home applications servers which allow the user to access the Smart Home ecosystem functions over the Internet. Providing access to management functions over the Internet may introduce some new threats to the security of the Smart Home. For this reason, both the activities taken within the HAN and actions taken through the Smart Home platform should be monitored against suspicious activity.

Moreover, assuming that ISP’s monitoring of the suspicious activities is limited to the supported SH applications and should minimize the impact on the HG performance, the IDS functionality should be shared between HG equipment and ISP’s infrastructure. Following this conclusion, the minimal set of intrusion detection functions maintained by the provider encompasses three components: a Home Gateway IDS (HG IDS) residing on a Home Gateway (or technology gateway) at user premises, an ISP’s IDS residing in the ISP’s infrastructure, and the expert system located in the ISP’s data center. All above mentioned functional entities constitute two-layer network architecture for intrusion detection in the Smart Home environment as depicted in Fig. 3.

In this approach, the HG IDS is responsible for local resource monitoring (i.e., CPU, memory and network bandwidth utilization, outages in communication with smart devices, etc.) and performs preliminary log analysis. It acts as a Host-based IDS (HIDS) and performs rule-based detection of Smart Home devices misuse and policy violations. The above limited set of tasks is performed by the HG IDS because they require relatively small computational effort and may be also implemented in relatively less powerful nodes (Home Gateways or technology gateways responsible for communication between constraint devices and the Internet).

In turn, the ISP’s infrastructure is usually ready for processing the long term anomaly analysis of the user’s behavior. For this reason, results of the preliminary analysis at HG IDS are exported to the expert system located at ISP’s premises for further analysis. Moreover, the ISP is also responsible for inspection of the network traffic related to Smart Home applications. This means that the IDS at the ISP’s data center acts as network-based system (NIDS). This two-step IDS structure requires mutual communication between local (HG IDS) and central (IDS expert system) functional entities and is described in details in next paragraph.

The IDS communication model for Smart Home assumes that data for analysis is collected on the basis of the systems logs related to Smart Home applications and resource utilization related to smart devices which use HG/GW for event logging (see Fig. 4). It performs preliminary analysis of available data based on locally stored rules. This analysis exploits: log files and audit records produced by the operating system for every action taken on the HG/GW system related to Smart Home devices and applications. Examples of the audit record include file accesses, system calls, process executions, logins, etc. Moreover, preliminary analysis may encompass also the results of inspections performed by other processes, i.e., integrity checksums, registry entries, monitoring of smart devices, etc. First, the local IDS has to filter desired log files, system call traces (i.e., related to resource utilization) or output data from auxiliary processes (i.e., checking file checksums) and then these data are verified against rules provided by the rules dataset.

The applied rules dataset should fulfill requirements which face fast and effectively (by minimizing the number of false positive and false negatives) intrusion detection process. This scenario-based approach should encompass examples such as: number of logins during an short period of time, system/network reconfigurations, etc. Results of the events auditing are reported to the ISP’s platform for further analysis. This entity may require more information desired for deeper analysis and for this purpose a source data might be retrieved from the HG. The source data are transferred upon the request from the ISP analytical platform.

The reported behavior is analyzed to detect anomalies in behavior by the expert system located at the ISP’s premises and supported by the Smart Home solution manufacturer. This approach assumes that reported security vulnerabilities as well as standard events are observed during the training phase. These data parameterize a model of normal behavior which is additionally supplemented by traffic analysis but in this case traffic analysis is limited to the Smart Home applications and selected fractions of the Internet traffic related to these applications. In this context, access from Internet connected mobile devices seems to be the majority of use cases.

The applied rules should take into account the product life cycle and specifically bug fixes reported by the users and updates applied by the manufacturer. It should also take into account the specificity of Smart Home applications and packet traffic generated by them. These rules are introduced by SH devices manufacturer and should complement the knowledge base used in anomaly detection.

The HG IDS decodes system logs and audit records, and performs analysis against locally stored rules. The results of analysis are periodically transferred to the ISP’s expert system. Particularly, the HG IDS sends alerts triggered on the basis of actually available rules. Depending on the needs, the aggregated logs may be also transferred to expert system for further analysis. However, this action is initiated on demand, as a result of the decision made by the expert system which may desire deeper analysis of raw data.

The expert system provides correlation engine that takes as input aggregated results of IDS instances. Its main task is to correlate detected security flaws for individual Smart Home deployments as well as Smart Home service platform. Moreover, it raises alerts for prevention purposes as well as triggers updates of rules datasets in the HGs. The overall view of the main components of the Expert system is presented in Fig. 5.

Fundamentally, the expert system is responsible for decision making aiming at increasing of intrusion detection efficiency. It deals with correlated events (mainly alerts) and its role is twofold: (i) detection of massive security breach of Smart Home area across the ISP network, (ii) improving efficiency of intrusion detection for SH IDS. The first role is fulfilled by the Correlation Engine that deals with aggregated alerts coming from different sources. Basically, the Correlation Engine performs correlation across two groups of datasets:As an output, the ISP should be able to obtain security breach alerts related to individual Smart Home ecosystem and secondly alerts related to massive suspicious activities in ISP’s network coming from SH platform.

The second role is fulfilled by extending the rules datasets with new rules defined by security experts. These new security rules are result of analysis and experience of jointly security experts supported by ISP’s CERT teams and SH devices manufacturer. Particularly, manufacturers role is important because of the obligation to support the product (i.e., taking into account reported bugs).

The second data source for the expert system is ISP’s IDS which performs network traffic inspection at the ISP’s premises. Acting as a NIDS, the ISP’s IDS performs inspection of incoming and outgoing traffic to/from Smart Home Application servers. The choice of its location is justified considering that SSL or TLS inspection of encrypted connection is difficult and an IDS can only perform limited inspection based on packet headers. Since most of Smart Home applications services maintained in the cloud offer an APIs access over HTTPS, the only place for decryption of traffic to and from servers hosted by ISP is the ISP’s data center. Moreover, the full inspection requires access to the private key used by the SH applications services as well as computational cost associated with decryption. Therefore, locating this node at the ISP’s data center is an optimum solution in terms of performance and reliability.

A comparative description of Smart Home IDS functional components is provided in Table 1. This table lists tasks performed by each component.

Distributed intrusion detection based both on IDS residing in Home Gateways and at ISP’s premises is an optimal approach to the detection of many attacks. Particularly, quickly spreading attacks can be detected and will generate an increasing number of alerts. However, without the centralized infrastructure, it is not possible to have a look at the larger picture of a spreading attacks .